Aici veti gasi detalii tehnice despre cum se pot realiza configurari software+ hardware.
Here you can find tehnical details about software/hardware configuration.

joi, 11 aprilie 2019

FreeBSD nat with pf

This is a basic script with some commands to enable nat with pf.


pfctl -e        #to enable pf
pfctl -nf /etc/pf.conf  #to parse rules from /etc/pf.conf file
kldload pf  #to load pf module
pfctl -f /etc/pf.conf   #to load rules from /etc/pf.conf file


To flush nat:
pfctl -F nat
A.B.C.D is the public IP put on em0 interface.

==================
#cat /etc/pf.conf  #this is pf configuration file
nat on em0 from 172.16.16.0/24 to any -> A.B.C.D
###binat on em0 from 172.16.16.2/32 to any -> A.B.C.D
rdr on { em0 re1 }  proto udp from any to A.B.C.D port 10011 -> 172.16.16.2 port 10011
rdr on { em0 re1 }  proto tcp from any to A.B.C.D port 2222 -> 172.16.16.2 port 22

=================
# pfctl -sn           #to view active rules
nat on em0 inet from 172.16.16.0/24 to any -> 89.137.197.15
rdr on em0 inet proto udp from any to A.B.C.D port = 10011 -> 172.16.16.2 port 10011
rdr on re1 inet proto udp from any to A.B.C.D port = 10011 -> 172.16.16.2 port 10011

=================
# pfctl -v -s nat      #to view if nat is working
No ALTQ support in kernel
ALTQ related functions disabled
nat on em0 inet from 172.16.16.0/24 to any -> A.B.C.D
  [ Evaluations: 171531    Packets: 158       Bytes: 11732       States: 1     ]
  [ Inserted: uid 0 pid 15527 State Creations: 1     ]
rdr on em0 inet proto udp from any to A.B.C.D port = 10011 -> 172.16.16.2 port 10011
  [ Evaluations: 266473    Packets: 46286     Bytes: 64392976    States: 2     ]
  [ Inserted: uid 0 pid 15527 State Creations: 2     ]

==================
#pfctl -F nat       # to flush rules from nat table

luni, 7 ianuarie 2019

DNS tools

to check serial zone:
====================================================
dig +multi testing.org soa

; <<>> DiG 9.11.5-P1 <<>> +multi testing.org soa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 28545="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b6fcdd45fb00359c3dcc25225c3d11bdcd75b2a4c9c328a5 (good)
;; QUESTION SECTION:
;testing.org.           IN SOA

;; ANSWER SECTION:
testing.org.            600 IN SOA ns39.domaincontrol.com. dns.jomax.net. (
                                2017081800 ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                604800     ; expire (1 week)
                                600        ; minimum (10 minutes)
                                )

;; AUTHORITY SECTION:
.                       469713 IN NS a.root-servers.net.
.                       469713 IN NS f.root-servers.net.
.                       469713 IN NS g.root-servers.net.
.                       469713 IN NS i.root-servers.net.
.                       469713 IN NS m.root-servers.net.
.                       469713 IN NS j.root-servers.net.
.                       469713 IN NS h.root-servers.net.
.                       469713 IN NS e.root-servers.net.
.                       469713 IN NS k.root-servers.net.
.                       469713 IN NS d.root-servers.net.
.                       469713 IN NS l.root-servers.net.
.                       469713 IN NS c.root-servers.net.
.                       469713 IN NS b.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     556117 IN A 198.41.0.4
b.root-servers.net.     124117 IN A 199.9.14.201
c.root-servers.net.     124117 IN A 192.33.4.12
d.root-servers.net.     124117 IN A 199.7.91.13
e.root-servers.net.     124117 IN A 192.203.230.10
f.root-servers.net.     124117 IN A 192.5.5.241
g.root-servers.net.     124117 IN A 192.112.36.4
h.root-servers.net.     124117 IN A 198.97.190.53
i.root-servers.net.     124117 IN A 192.36.148.17
j.root-servers.net.     124117 IN A 192.58.128.30
k.root-servers.net.     124117 IN A 193.0.14.129
l.root-servers.net.     124117 IN A 199.7.83.42
m.root-servers.net.     124117 IN A 202.12.27.33
a.root-servers.net.     124117 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net.     124117 IN AAAA 2001:500:200::b
c.root-servers.net.     124117 IN AAAA 2001:500:2::c
d.root-servers.net.     124117 IN AAAA 2001:500:2d::d
e.root-servers.net.     124117 IN AAAA 2001:500:a8::e
f.root-servers.net.     124117 IN AAAA 2001:500:2f::f
g.root-servers.net.     124117 IN AAAA 2001:500:12::d0d
h.root-servers.net.     124117 IN AAAA 2001:500:1::53
i.root-servers.net.     124117 IN AAAA 2001:7fe::53
j.root-servers.net.     124117 IN AAAA 2001:503:c27::2:30
k.root-servers.net.     124117 IN AAAA 2001:7fd::1
l.root-servers.net.     124117 IN AAAA 2001:500:9f::42
m.root-servers.net.     124117 IN AAAA 2001:dc3::35

;; Query time: 61 msec
;; SERVER: 192.168.200.254#53(192.168.200.254)
;; WHEN: Tue Jan 15 00:48:29 EET 2019
;; MSG SIZE  rcvd: 919



to view mx
=====================================================
dig testing.org MX

; <<>> DiG 9.11.5-P1 <<>> testing.org MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 23162="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4acc3dbf0e65e9fef34cab265c3d120aea8ec3040158afe7 (good)
;; QUESTION SECTION:
;testing.org.                   IN      MX

;; ANSWER SECTION:
testing.org.            3600    IN      MX      10 aspmx2.googlemail.com.
testing.org.            3600    IN      MX      5 alt2.aspmx.l.google.com.
testing.org.            3600    IN      MX      5 alt1.aspmx.l.google.com.
testing.org.            3600    IN      MX      1 aspmx.l.google.com.
testing.org.            3600    IN      MX      10 aspmx3.googlemail.com.

;; AUTHORITY SECTION:
.                       469636  IN      NS      f.root-servers.net.
.                       469636  IN      NS      k.root-servers.net.
.                       469636  IN      NS      d.root-servers.net.
.                       469636  IN      NS      i.root-servers.net.
.                       469636  IN      NS      e.root-servers.net.
.                       469636  IN      NS      c.root-servers.net.
.                       469636  IN      NS      h.root-servers.net.
.                       469636  IN      NS      a.root-servers.net.
.                       469636  IN      NS      m.root-servers.net.
.                       469636  IN      NS      b.root-servers.net.
.                       469636  IN      NS      g.root-servers.net.
.                       469636  IN      NS      j.root-servers.net.
.                       469636  IN      NS      l.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     556040  IN      A       198.41.0.4
b.root-servers.net.     124040  IN      A       199.9.14.201
c.root-servers.net.     124040  IN      A       192.33.4.12
d.root-servers.net.     124040  IN      A       199.7.91.13
e.root-servers.net.     124040  IN      A       192.203.230.10
f.root-servers.net.     124040  IN      A       192.5.5.241
g.root-servers.net.     124040  IN      A       192.112.36.4
h.root-servers.net.     124040  IN      A       198.97.190.53
i.root-servers.net.     124040  IN      A       192.36.148.17
j.root-servers.net.     124040  IN      A       192.58.128.30
k.root-servers.net.     124040  IN      A       193.0.14.129
l.root-servers.net.     124040  IN      A       199.7.83.42
m.root-servers.net.     124040  IN      A       202.12.27.33
a.root-servers.net.     124040  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     124040  IN      AAAA    2001:500:200::b
c.root-servers.net.     124040  IN      AAAA    2001:500:2::c
d.root-servers.net.     124040  IN      AAAA    2001:500:2d::d
e.root-servers.net.     124040  IN      AAAA    2001:500:a8::e
f.root-servers.net.     124040  IN      AAAA    2001:500:2f::f
g.root-servers.net.     124040  IN      AAAA    2001:500:12::d0d
h.root-servers.net.     124040  IN      AAAA    2001:500:1::53
i.root-servers.net.     124040  IN      AAAA    2001:7fe::53
j.root-servers.net.     124040  IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     124040  IN      AAAA    2001:7fd::1
l.root-servers.net.     124040  IN      AAAA    2001:500:9f::42
m.root-servers.net.     124040  IN      AAAA    2001:dc3::35

;; Query time: 67 msec
;; SERVER: 192.168.200.254#53(192.168.200.254)
;; WHEN: Tue Jan 15 00:49:46 EET 2019
;; MSG SIZE  rcvd: 984



to view general data
===============
dig testing.org

; <<>> DiG 9.11.5-P1 <<>> testing.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 51737="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8bf6f94ba2d476208e77567c5c3d124eac274e8a15e2a506 (good)
;; QUESTION SECTION:
;testing.org.                   IN      A

;; ANSWER SECTION:
testing.org.            600     IN      A       198.71.233.227

;; AUTHORITY SECTION:
.                       469568  IN      NS      l.root-servers.net.
.                       469568  IN      NS      e.root-servers.net.
.                       469568  IN      NS      d.root-servers.net.
.                       469568  IN      NS      k.root-servers.net.
.                       469568  IN      NS      j.root-servers.net.
.                       469568  IN      NS      m.root-servers.net.
.                       469568  IN      NS      c.root-servers.net.
.                       469568  IN      NS      g.root-servers.net.
.                       469568  IN      NS      f.root-servers.net.
.                       469568  IN      NS      h.root-servers.net.
.                       469568  IN      NS      b.root-servers.net.
.                       469568  IN      NS      a.root-servers.net.
.                       469568  IN      NS      i.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     555972  IN      A       198.41.0.4
b.root-servers.net.     123972  IN      A       199.9.14.201
c.root-servers.net.     123972  IN      A       192.33.4.12
d.root-servers.net.     123972  IN      A       199.7.91.13
e.root-servers.net.     123972  IN      A       192.203.230.10
f.root-servers.net.     123972  IN      A       192.5.5.241
g.root-servers.net.     123972  IN      A       192.112.36.4
h.root-servers.net.     123972  IN      A       198.97.190.53
i.root-servers.net.     123972  IN      A       192.36.148.17
j.root-servers.net.     123972  IN      A       192.58.128.30
k.root-servers.net.     123972  IN      A       193.0.14.129
l.root-servers.net.     123972  IN      A       199.7.83.42
m.root-servers.net.     123972  IN      A       202.12.27.33
a.root-servers.net.     123972  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     123972  IN      AAAA    2001:500:200::b
c.root-servers.net.     123972  IN      AAAA    2001:500:2::c
d.root-servers.net.     123972  IN      AAAA    2001:500:2d::d
e.root-servers.net.     123972  IN      AAAA    2001:500:a8::e
f.root-servers.net.     123972  IN      AAAA    2001:500:2f::f
g.root-servers.net.     123972  IN      AAAA    2001:500:12::d0d
h.root-servers.net.     123972  IN      AAAA    2001:500:1::53
i.root-servers.net.     123972  IN      AAAA    2001:7fe::53
j.root-servers.net.     123972  IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     123972  IN      AAAA    2001:7fd::1
l.root-servers.net.     123972  IN      AAAA    2001:500:9f::42
m.root-servers.net.     123972  IN      AAAA    2001:dc3::35

;; Query time: 32 msec
;; SERVER: 192.168.200.254#53(192.168.200.254)
;; WHEN: Tue Jan 15 00:50:54 EET 2019
;; MSG SIZE  rcvd: 867




to check if zone exists on the server
###############################

dig @8.8.8.8 testing.org

; <<>> DiG 9.11.5-P1 <<>> @8.8.8.8 testing.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 5191="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;testing.org.                   IN      A

;; ANSWER SECTION:
testing.org.            599     IN      A       198.71.233.227

;; Query time: 51 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jan 15 00:52:38 EET 2019
;; MSG SIZE  rcvd: 56

Openvpn SSL routines:SSL_CTX_use_certificate:ca md too weak

In new versions of openvpn you can have problems with older certificates (after upgrade). One of error is: SSL routines:SSL_CTX_use_certificate:ca md too weak.
In this case go to default_md directive from openssl.conf and modify from md5 to sha256. After that recreate all certificates and put again from server/clients.

sâmbătă, 5 ianuarie 2019

How do I verify that a private key matches a certificate? (OpenSSL)

How do I verify that a private key matches a certificate?

To verify that a private key matches its certificate you need to compare the modulus of the certificate against the modulus of the private key.

Please follow the below command to view the modulus of the certificate.
openssl x509 -noout -modulus -in server.crt | openssl md5

Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96

Please follow the below command to view the modulus of the private key.
openssl rsa -noout -modulus -in myserver.key | openssl md5

Now you should get the modulus as same as certificate modulus above. i.e a77c7953ea5283056a0c9ad75b274b96

If the modulus of the certificate and the modulus of the private key do not match, then you're not using the right private key. You can either create a brand new key and CSR and send contact support or do a search for all private keys on the system and compare their modulus.

To check the health of your private key you could perform this command:

openssl rsa -noout -check -in privkey.pem

source

Map


Visitor Map